World’s biggest social media site, with more than two billion people using it every month, is making the headlines once again. Facebook (FB), as we all know, is back in news for storing hundreds of millions of users passwords in plain text for years. A string of errors led certain FB-branded apps to leave passwords accessible to as many as 20,000 company employees.
The company is currently investigation the case. But, according to a March 21 blog post (Keeping Passwords Secure), in January it discovered some users passwords had been stored in a very clear format within its internal data storage systems. The password logging reportedly started as early as 2012.
“This caught our attention because our login systems are designed to mask passwords using techniques that makes them unreadable,” wrote Facebook VP of Engineering, Security and Privacy Pedro Canahuati. “We have fixed these issues and as a precaution, we will be notifying everyone whose passwords we have found were stored in this way.”
Canahuati explained that the passwords were never visible to anyone outside the entity and there is no proof that they were internally abused or improperly accessed.
“Unfortunately, such undocumented features are quite widespread in large technology companies,” said High-Tech Bridge CEO Ilia Kolochenko. “Frequently, there is no malicious intent or negligence, but rather an internal “hack” to better resolve some issues or conduct testing.”
Kolochenko said that “shadow data and its usage are virtually uncontrollable, and even now it would be premature to conclude that the [Facebook] issue is totally remediated – numerous backups, including custom backups made by employees, may still exist in different and unknown locations.”
Tim Buntel, VP of Application Security Products, Threat Stack stated the revelation that Facebook stored millions of plain-text passwords on an unencrypted internal server is indicative of some of the challenges commonly found in large organizations where simple security tasks can be overlooked or ignored.
“It is important to consider where data will be stored, how it will be secured, and if that protection is risk appropriate at all stages of the development and operations life-cycle,” Buntel said. “The lesson here is to prioritize security observability, so organizations can easily identify vulnerabilities and misconfigurations like this.”
Thycotic Chief Information Security Officer, Terence Jackson, questioned was the flaw an acceptable risk.
“Assuming they are following an SSDLC, this should have definitely been a core protection built into the system,” Jackson said. “Because there is no evidence that anyone external to Facebook had access to the unencrypted passwords is not reassuring.”
As a Facebook user, Jackson questioned why would an indoor internal employee requires access to his unencrypted password and said that ultimately it is still up to the consumer to control to govern data shared with services like these. This won’t be the last of Facebook’s problems, he added.
Facebook has been under attack by politicians and privacy advocates alike. Recently, Sen. Elizabeth Warren, D-Mass., called for the break-up of big tech companies including Facebook to promote privacy and competition
A good number of scandals have come up in a short span, after Mark Zuckerberg’s commitment to pivot his platform toward privacy over the subsequent years.
In the present scenario, competition to Facebook is acute in its space due to the very fact that the major players like Instagram and WhatsApp have already been secured by Facebook, Inc. the corporate is additionally reportedly below a criminal probe for data sharing practices with “partners” as well as quite one hundred fifty corporations.
This is the latest in a string of bad security issues for Facebook. In October, a hacker was able to access personal information from 29 million accounts, after stealing login tokens. Prior to it, hacked private messages from 81,000 users were found to have been put for sale.
But users likely will have to bear some of the onus for countering privacy violations and breaches. Noting that issues like such “are very time consuming to discover even with an external audit,” Kolochenko said, “when dealing with large technology companies be well prepared to understand that they know everything about you and [internally] may handle this data differently from what their policy or terms of services say.”